[nsp-sec] Paging Yahoo! - Phishing account

Daniel Adinolfi dra1 at postoffice9.mail.cornell.edu
Mon Jun 2 06:46:35 EDT 2008 

Folks,

We received a very targeted phishing attempt for Cornell University  
accounts this morning.  The reply-to address is

toolbasic at yahoo.com.

If there is someone from Yahoo! on the list, please have this account  
taken down.  The email message is listed below.

Thanks!

-Dan


_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 at cornell.edu   phone: 607-255-7657

_______________________


Return-Path: <helpdesk at cornell.edu>
Received: from postoffice9.mail.cornell.edu ([unix socket])
	by postoffice9.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Mon, 02  
Jun 2008 05:21:22 -0400
Received: from hermes30.mail.cornell.edu (hermes30.mail.cornell.edu  
[132.236.56.55])
	by postoffice9.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id  
m529LJ6b001802
	for <dra1 at postoffice9.mail.cornell.edu>; Mon, 2 Jun 2008 05:21:19  
-0400 (EDT)
Received: (from daemon at localhost)
	by hermes30.mail.cornell.edu (8.13.6/8.13.6) id m529L2vA001121;
	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
Received: from localhost.localdomain (veronica.mail.cornell.edu  
[132.236.56.51])
	by hermes30.mail.cornell.edu (8.13.6/8.13.6) with ESMTP id  
m529L04E001041;
	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
Received: from unknown-host
	by veronica with queue (Sophos PureMessage Version 5.303) id  
36055023-11;
	Mon, 02 Jun 2008 09:17:24 GMT
Received: from veronica_tc [10.236.56.7]
	by  with SMTP id ;
	Mon, 02 Jun 2008 09:17:24 GMT
	(envelope-from helpdesk at cornell.edu)
Received: from cic.jsu.ac.ir (unknown [78.39.195.19]) by 132.236.56.7;  
Mon,  2 Jun 2008 05:17:24 -0400
Received: from cic.jsu.ac.ir (acc.jsu.ac.ir [127.0.0.1])
	by cic.jsu.ac.ir (8.12.11/8.12.11) with ESMTP id m529G362001990;
	Mon, 2 Jun 2008 13:46:03 +0430
Received: (from apache at localhost)
	by cic.jsu.ac.ir (8.12.11/8.12.11/Submit) id m529G3MF001921;
	Mon, 2 Jun 2008 05:16:03 -0400
X-Authentication-Warning: cic.jsu.ac.ir: apache set sender to helpdesk at cornell.edu 
  using -f
Received: from 217.21.79.162
        (SquirrelMail authenticated user moezifar)
        by cic.jsu.ac.ir with HTTP;
        Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
Message-ID: <1543.217.21.79.162.1212398158.squirrel at cic.jsu.ac.ir>
Date: Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
Subject: VERIFY YOUR WEBMAIL
X-PH: V4.1 at hermes30
From: "CIT Contact Center   (CORNELL UNIVERSITY)" <helpdesk at cornell.edu>
Reply-To: toolbasic at yahoo.com
Bcc:
User-Agent: SquirrelMail/1.4.2-3
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal
X-Original-IP: 78.39.195.19
X-PMX-Version: 5.3.3.310218, Antispam-Engine: 2.5.2.313940, Antispam- 
Data: 2008.6.2.20419
X-PMX-CORNELL-SPAM-CHECKED: poppy

CORNELL UNIVERSITY
CORNELL INFORMATION TECHNOLOGY

Dear Subscriber,


We are currently upgrading our database and email account center. We  
have
some problems on our database and it will affect your webmail account.We
are deleting all unused cornell.edu webmail account to create more space
for new accounts.
To prevent your account from closing you will have to update it below so
that we will know that it's being used presently. In 24 hours, you may  
not
be able to access your webmail

CONFIRM YOUR EMAIL IDENTITY BELOW

NetID: .............
Password : .............

Failure to do this will immediately render your email address  
deactivated
from our database.

Error Code# CL1034EDU

Thank you for your patience!!

CORNELL INFORMATION TECHNOLOGY
IDENTITY MANAGEMENT

More information about the nsp-security mailing list